This version of gosu is bringing cves

[dogruis]

docker-library-redis/7.4/alpine/Dockerfile

Line 24 in e5650da

ENV GOSU_VERSION 1.17

tianon/gosu#151
I created an issue to fix the cve errors

linked to redis/redis#13663

After reading this thread I am convinced that gosu shouldn't be used at all. As the lib hasn't had a release in more than a year and the lib owner refuses to bump the golang version anytime soon to 1.23.
tianon/gosu#136

[dogruis]

Just for the update the owner of the lib is refusing to update his library to fix CVEs as stated in his readme.
I understand there is false positives but still maintaining libraries should be a thing.
tianon/gosu#136

[charles-horel-rogers]

@dogruis is there a plan to remove gosu? Or will these vulns remain present in the image

[dogruis]

I am not part of the redis team and I requested something to be done. Tbh I would not use gosu as there is command line alternatives.

[frankyjquintero]

@oranagra @sundb @enjoy-binbin tenemos alguna novedad

[dmaier-redislabs]

Hi @frankyjquintero,

from what I see, I would categorize this as a false-positive, but we will take a deeper look. @adamiBs FYI.

@tianon Could you please confirm the following:

1. You are addressing CVE-s related to Go that are related to interfaces that impact gosu. Because there might be security issues in Go that are irrelevant to gosu, Docker Hub's CVE reporting might include false-positives. So it reports a CVE in Go that has no impact on gosu or the Docker containers that use gosuin the entrypoint script. Is this understanding correct?
2. The command gosu is used to runredis-server under the user redis if no --user flag is specified when starting the container. This seems to be a safeguard mechanism to avoid running the process under root within the container. You can still restrict it more by running the container via docker run --user redis redis.

Regards,
David

[tianon]

Yes, that is correct (on both counts).

[adamiBs]

@Peter-Sh Resolves this in an upcoming release: #435

[adamiBs]

Our latest RC image contains the fix for this:
https://hub.docker.com/layers/library/redis/8.0-rc1/images/sha256-4e04eab2df86d0f888262215afdf467f2509962a7c1818ac4cac9590912dfcd5

[dogruis]

Great but when is this release coming! it's been many many months and still no new tag? You already had a fix months ago what we are asking is a new tag containing the fixes

[adamiBs]

The link I sent is a docker tag that contains this fix. @dogruis

[dogruis]

Not really, it's a release candidate and not a release. So I would wait for a new release instead. Thanks a lot!!!!!

[LiorKogan]

We are very close to the 8.0 GA release.
Sorry, but we cannot share the exact date.

[rayhsieh]

Will this fix be merged into redis 6 and redis 7?